GHSA-4c7q-4928-8445HighCVSS 7.3

chmod: --preserve-root bypassed by any path that resolves to root (e.g. /../)

Published
July 6, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (1)

📋 Description

Chmoder::chmod() only compares the literal argument against Path::new("/"), so the --preserve-root guard is bypassed by any path that resolves to root — a symlink to / or simply /../.

if self.recursive && self.preserve_root && file == Path::new("/") {
    return Err(ChmodError::PreserveRoot("/".to_string()).into());
}

PoC — recursively chmods the entire filesystem to 000 despite --preserve-root:

chmod -R --preserve-root 000 /../ -v

Impact: --preserve-root is the documented safeguard against destructive recursive operations on /. Bypassing it allows chmod -R to alter permissions across the whole filesystem, causing a complete system breakdown. Recommendation: canonicalize the target path before comparing against root.

Remediation: Acknowledged by Canonical; fixed in commit 413055b3.


Reported by Zellic in the uutils coreutils Program Security Assessment (prepared for Canonical, Jan 20 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.1. Credit: Zellic.

🎯 Affected products1

  • rust/uu_chmod:< 0.6.0

🔗 References (6)